umbral | e15b1ff3eb180023710277f71246a22b705ff26a4826789a004b77137df5d30d

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21-08-2023 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.exe
Size

228KB
MD5

18035d182c38cd4bdac10b181d956b32
SHA1

7a024ccc6625b4c232064cff47dc52b3d3efe4fe
SHA256

e15b1ff3eb180023710277f71246a22b705ff26a4826789a004b77137df5d30d
SHA512

9cd6c414a15ae3cf89756f081e464c5e8ecf2951dd546a7930d88d31abb48ce37ba263ad18d0c3cdb74090ce0f85847d6747c183b61274c43f9f9f445a077566
SSDEEP

6144:kloZMIrIkd8g+EtXHkv/iD4LQ1DjpaC9uop7mGzuib8e1mBi:CoZnL+EP8LQ1DjpaC9uop7mGzhj

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1952-54-0x00000000010A0000-0x00000000010E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1428	wmic.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2424	powershell.exe
2956	powershell.exe
2324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	Umbral.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeIncreaseQuotaPrivilege	2708	wmic.exe
Token: SeSecurityPrivilege	2708	wmic.exe
Token: SeTakeOwnershipPrivilege	2708	wmic.exe
Token: SeLoadDriverPrivilege	2708	wmic.exe
Token: SeSystemProfilePrivilege	2708	wmic.exe
Token: SeSystemtimePrivilege	2708	wmic.exe
Token: SeProfSingleProcessPrivilege	2708	wmic.exe
Token: SeIncBasePriorityPrivilege	2708	wmic.exe
Token: SeCreatePagefilePrivilege	2708	wmic.exe
Token: SeBackupPrivilege	2708	wmic.exe
Token: SeRestorePrivilege	2708	wmic.exe
Token: SeShutdownPrivilege	2708	wmic.exe
Token: SeDebugPrivilege	2708	wmic.exe
Token: SeSystemEnvironmentPrivilege	2708	wmic.exe
Token: SeRemoteShutdownPrivilege	2708	wmic.exe
Token: SeUndockPrivilege	2708	wmic.exe
Token: SeManageVolumePrivilege	2708	wmic.exe
Token: 33	2708	wmic.exe
Token: 34	2708	wmic.exe
Token: 35	2708	wmic.exe
Token: SeIncreaseQuotaPrivilege	2708	wmic.exe
Token: SeSecurityPrivilege	2708	wmic.exe
Token: SeTakeOwnershipPrivilege	2708	wmic.exe
Token: SeLoadDriverPrivilege	2708	wmic.exe
Token: SeSystemProfilePrivilege	2708	wmic.exe
Token: SeSystemtimePrivilege	2708	wmic.exe
Token: SeProfSingleProcessPrivilege	2708	wmic.exe
Token: SeIncBasePriorityPrivilege	2708	wmic.exe
Token: SeCreatePagefilePrivilege	2708	wmic.exe
Token: SeBackupPrivilege	2708	wmic.exe
Token: SeRestorePrivilege	2708	wmic.exe
Token: SeShutdownPrivilege	2708	wmic.exe
Token: SeDebugPrivilege	2708	wmic.exe
Token: SeSystemEnvironmentPrivilege	2708	wmic.exe
Token: SeRemoteShutdownPrivilege	2708	wmic.exe
Token: SeUndockPrivilege	2708	wmic.exe
Token: SeManageVolumePrivilege	2708	wmic.exe
Token: 33	2708	wmic.exe
Token: 34	2708	wmic.exe
Token: 35	2708	wmic.exe
Token: SeIncreaseQuotaPrivilege	572	wmic.exe
Token: SeSecurityPrivilege	572	wmic.exe
Token: SeTakeOwnershipPrivilege	572	wmic.exe
Token: SeLoadDriverPrivilege	572	wmic.exe
Token: SeSystemProfilePrivilege	572	wmic.exe
Token: SeSystemtimePrivilege	572	wmic.exe
Token: SeProfSingleProcessPrivilege	572	wmic.exe
Token: SeIncBasePriorityPrivilege	572	wmic.exe
Token: SeCreatePagefilePrivilege	572	wmic.exe
Token: SeBackupPrivilege	572	wmic.exe
Token: SeRestorePrivilege	572	wmic.exe
Token: SeShutdownPrivilege	572	wmic.exe
Token: SeDebugPrivilege	572	wmic.exe
Token: SeSystemEnvironmentPrivilege	572	wmic.exe
Token: SeRemoteShutdownPrivilege	572	wmic.exe
Token: SeUndockPrivilege	572	wmic.exe
Token: SeManageVolumePrivilege	572	wmic.exe
Token: 33	572	wmic.exe
Token: 34	572	wmic.exe
Token: 35	572	wmic.exe
Token: SeIncreaseQuotaPrivilege	572	wmic.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2424	1952	Umbral.exe	28
PID 1952 wrote to memory of 2424	1952	Umbral.exe	28
PID 1952 wrote to memory of 2424	1952	Umbral.exe	28
PID 1952 wrote to memory of 2956	1952	Umbral.exe	30
PID 1952 wrote to memory of 2956	1952	Umbral.exe	30
PID 1952 wrote to memory of 2956	1952	Umbral.exe	30
PID 1952 wrote to memory of 2708	1952	Umbral.exe	32
PID 1952 wrote to memory of 2708	1952	Umbral.exe	32
PID 1952 wrote to memory of 2708	1952	Umbral.exe	32
PID 1952 wrote to memory of 572	1952	Umbral.exe	35
PID 1952 wrote to memory of 572	1952	Umbral.exe	35
PID 1952 wrote to memory of 572	1952	Umbral.exe	35
PID 1952 wrote to memory of 1484	1952	Umbral.exe	37
PID 1952 wrote to memory of 1484	1952	Umbral.exe	37
PID 1952 wrote to memory of 1484	1952	Umbral.exe	37
PID 1952 wrote to memory of 2324	1952	Umbral.exe	39
PID 1952 wrote to memory of 2324	1952	Umbral.exe	39
PID 1952 wrote to memory of 2324	1952	Umbral.exe	39
PID 1952 wrote to memory of 1428	1952	Umbral.exe	41
PID 1952 wrote to memory of 1428	1952	Umbral.exe	41
PID 1952 wrote to memory of 1428	1952	Umbral.exe	41

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bc6141f1e22dd3d7ed95d6bcf3e0f092

SHA1
8c2f0899342da9b515d4b21e8fa56a1fe5796208

SHA256
413601c2304229e88210e8715e7ed2364912d6edb25879edbc505a9bb74dde2b

SHA512
8dd94413ba256aad357e78e49225d6c94fa0ecca20d5bbc10af88f1c31d35bf6a085a833042a2599e82ddb1997141244959f11e44c51763a23dbde40496fcfe5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bc6141f1e22dd3d7ed95d6bcf3e0f092

SHA1
8c2f0899342da9b515d4b21e8fa56a1fe5796208

SHA256
413601c2304229e88210e8715e7ed2364912d6edb25879edbc505a9bb74dde2b

SHA512
8dd94413ba256aad357e78e49225d6c94fa0ecca20d5bbc10af88f1c31d35bf6a085a833042a2599e82ddb1997141244959f11e44c51763a23dbde40496fcfe5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8I1VMCX858HEBAB8HJVN.temp

Filesize
7KB

MD5
bc6141f1e22dd3d7ed95d6bcf3e0f092

SHA1
8c2f0899342da9b515d4b21e8fa56a1fe5796208

SHA256
413601c2304229e88210e8715e7ed2364912d6edb25879edbc505a9bb74dde2b

SHA512
8dd94413ba256aad357e78e49225d6c94fa0ecca20d5bbc10af88f1c31d35bf6a085a833042a2599e82ddb1997141244959f11e44c51763a23dbde40496fcfe5

Download Submit
memory/1952-54-0x00000000010A0000-0x00000000010E0000-memory.dmp

Filesize
256KB

Download
memory/1952-55-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download
memory/1952-56-0x000000001AF80000-0x000000001B000000-memory.dmp

Filesize
512KB

Download
memory/1952-104-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download
memory/1952-76-0x000000001AF80000-0x000000001B000000-memory.dmp

Filesize
512KB

Download
memory/1952-69-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-97-0x000007FEEDA20000-0x000007FEEE3BD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-96-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2324-98-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2324-95-0x000007FEEDA20000-0x000007FEEE3BD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-99-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2324-100-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2324-94-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2324-101-0x000007FEEDA20000-0x000007FEEE3BD000-memory.dmp

Filesize
9.6MB

Download
memory/2324-93-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2424-66-0x000007FEEDA20000-0x000007FEEE3BD000-memory.dmp

Filesize
9.6MB

Download
memory/2424-70-0x000007FEEDA20000-0x000007FEEE3BD000-memory.dmp

Filesize
9.6MB

Download
memory/2424-61-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/2424-63-0x000007FEEDA20000-0x000007FEEE3BD000-memory.dmp

Filesize
9.6MB

Download
memory/2424-62-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2424-64-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/2424-65-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/2424-67-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/2424-68-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/2956-84-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2956-77-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2956-79-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2956-78-0x000007FEED080000-0x000007FEEDA1D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-86-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2956-85-0x000007FEED080000-0x000007FEEDA1D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-80-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2956-82-0x000007FEED080000-0x000007FEEDA1D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-83-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2956-81-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download